Does Proxy User Work?

John C. Amodeo amodeo at admin.rutgers.edu
Wed Jun 1 16:29:23 EDT 2005 

Tim,

The thought has crossed my mind several times.  I see 2 problems with 
this approach:

1) We already have some active users on the new infrastructure, as well 
as several thousand on the old.  Users in both infrastructures would be 
blocked from accessing mail during the transfer period.

2) Since we have close to 200GB of mail spool, and judging from the 
speed of the imap-->imap transfer, this migration is likely to take 
several days. (which is obviously unacceptable)

My thought was to come as close as possible to a rolling migration - 
bring both infrastructures "up to sync" with each other (which could 
happen in the background over the course of a few days), cut over DNS 
entries in the middle of the night, and then sync one last time...  I 
envision the equivalent of a manual replication / failover situation, if 
that makes any sense...

I'm hoping I can do this with minimal downtime (maybe an hour or two...)

-John

Tim Pushor wrote:

> How about backing up the ldap directory, resetting the passwords to a 
> known (to you) password, do the transition, and restore the directory?
>
> If thats not possible, how about setting up a new temporary directory 
> with your user accounts and the known password, temporarily point 
> cyrus to it until after the transition, then point it back?
>
> Thanks,
> Tim
>
> John C. Amodeo wrote:
>
>> I've been researching a way to proxy as another user for 2 days 
>> without luck.  It seems that Cyrus/SASL has the ability to take a 
>> proxy command, but I cannot find any feasible application of it.  I 
>> need help.
>>
>> Here's the situation:
>>
>> I need to migrate 4 legacy Cyrus 2.0.17 servers to a new Cyrus 2.1.15 
>> server.  For multiple reasons, I would rather perform the migration 
>> via imap using a sync utility like imapsync (or the equivalent) 
>> rather than trying to merge the 4 servers through a manual upgrade / 
>> reconstruct.
>>
>> I need to be able to "login" as a normal user, say Bob Smith, as the 
>> Cyrus superuser using Cyrus's credentials.  If not, it will be a 
>> nightmare (and a bad practice) to collect my user's id's and 
>> passwords to run the conversion...  I would love to work in batch 
>> mode where I would only need to supply userid (of the user) and then 
>> the cyrus super account credentials (or equivalent...)
>>
>> I'm reading all over the place about the difference between authcid 
>> and authzid, proxyservers: cyrus, etc. etc. but can't find any true 
>> application for how this might work in real life.  I've tried every 
>> manageable combination of command line arguments with imtest to no 
>> avail...
>>
>> Both my 2.0.16 boxes and my 2.1.15 box authenticate against a central 
>> LDAP directory using sasl_mech_list: PLAIN.
>>
>> Does anyone have any ideas or suggestions?  I really want to avoid 
>> hacking the SASL code to take a "master" password for any user.
>>
>> Thanks in advance.
>>
>> -John
>>

-- 
______________________________________________________________
John C. Amodeo :: Associate Director of Information Technology
Faculty of Arts and Sciences
Rutgers, The State University of New Jersey
Voice: 732.932.9455 Fax: 732.932.0013

---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list